Bug 1976303 - AVC avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket
Summary: AVC avc: denied { create } for pid=1 comm="systemd" scontext=system_u:syst...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-25 17:47 UTC by Colin Walters
Modified: 2022-07-27 10:09 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-07-27 10:09:00 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1212 0 None open Allow systemd work with install_t unix stream sockets 2022-05-31 17:47:59 UTC

Internal Links: 2110012

Description Colin Walters 2021-06-25 17:47:49 UTC 
Hi, I'm trying to add support for having rpm-ostree listen on a socket, and it's being blocked by current policy:

Jun 25 17:39:05 cosa-devsh audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket permissive=0

Unlike most other daemons, rpm-ostreed runs as `install_t` because it may set SELinux security contexts.

Anyways just like we allow systemd to create
[root@cosa-devsh ~]# ls -alZ /run/docker.sock 
srw-rw----. 1 root docker system_u:object_r:container_var_run_t:s0 0 Jun 25 17:38 /run/docker.sock

Let's allow it to listen on an install_t socket please.
Comment 1 Ben Cotton 2021-08-10 13:08:50 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.
Note You need to log in before you can comment on or make changes to this bug.